Collision avoidance for mobile robots with limited sensing and limited information about moving obstacles

Abstract

This paper addresses the problem of safely navigating a mobile robot with limited sensing capability and limited information about stationary and moving obstacles. We consider two sensing limitations: blind spots between sensors and limited sensing range. We study three notions of safety: (1) static safety, which ensures collision-freedom with respect to stationary obstacles, (2) passive safety, which ensures collision-freedom while the robot is moving, and (3) passive friendly safety, which ensures the robot leaves sufficient room for obstacles to avoid collisions. We present a runtime approach, based on the Simplex architecture, to ensure these safety properties. To obtain the switching logic for the Simplex architecture, we identify a set of constraints on the sensor readings whose satisfaction at time t guarantees that the robot will still be able to ensure the safety property at time \(t + {\varDelta } t\), regardless of how it navigates during that time interval. Here, \({\varDelta } t\) is the period with which the switching logic is executed and is bounded by a function of the maximum velocity and braking power of the robot and the range of the sensors. To the best of our knowledge, this work is the first that provides runtime assurance that an autonomous mobile robot with limited sensing can navigate safely with limited information about obstacles. The limited information about obstacles is used to derive an over-approximation of the set of nearby obstacle points.

Appendix 1: Proof of correctness of the switching conditions

We prove the following:

1. P1:

   If no obstacle points are inside the safety region described in Sect. 4.2 then after \({\varDelta } t\) time units, the robot will still be able to guarantee the corresponding safety property.

   Specifically:

   1. P1.1:

      Static safety property: after \({\varDelta } t\) time units, the robot will be able to brake to a full stop without colliding with any static obstacles.

   2. P1.2:

      Passive safety property: after \({\varDelta } t\) time units, the robot will be able to brake to a full stop before any collisions with an obstacle can happen.

   3. P1.3:

      Passive friendly safety: after \({\varDelta } t\) time units, the robot will be able to brake to a full stop before any collision with an obstacle can happen, and after the robot stops, any moving obstacle can brake to a full stop without colliding with the robot.

2. P2:

   If the constraints \(S_{A_iA_{i'}}^\alpha \cap S_{{ safe}}^{ii'} = \emptyset \), for \(i = 1\ldots N\) where \(i' = (i \bmod N) + 1\), hold, then there are no obstacle points inside the safety region \(S_{{ safe}}\). In other words, the switching conditions in Sect. 4.4 are sound.

We define \(C_{P,r}\) as the set of points that are within Euclidean distance r from a point P, i.e., \(C_{P,r} = \{Q\ |\ PQ \le r\}\). In other words, \(C_{P,r}\) is a circular disk of radius r centered at P. It is trivial to show that \(Q \in C_{P,r} \rightarrow P \in C_{Q,r}\).

1.1 Proof of P1

P1 means that if no obstacle points are inside the safety region corresponding to the safety property of interest, then the robot does not need to begin braking now; it has enough room to start braking at the next time step if necessary to ensure the safety property.

In the following proofs, we assume that the computed reachable region, denoted \(S_{RR}\) is a conservative approximation to the actual reachable region. This is justified when we use safety disk with radius \(v_{max}{\varDelta } t\), whose correctness follows immediately from the definitions, and when we use the region computed by HyCreate, which uses a sound algorithm based on face lifting.

1.1.1 Proof of P1.1

As described in Sect. 4.2, the safety region \(S_{SS}\) corresponding to this safety property is obtained by expanding the reachable region \(S_{RR}\) by the worst-case braking distance \(d_b = v_{max}/2b\). Since there are no obstacle points inside the reachable region, the robot never comes into contact with any obstacles during \({\varDelta } t\) time units. We prove by contradiction that, if the robot starts braking at the next time step, it will come to a full stop without colliding with any static obstacles.

By definition, the \(S_{SS}\) is obtained by expanding \(S_{RR}\) by \(d_b\). That means \(C_{A,d_b} \subseteq S_{SS} \quad \forall A \in S_{RR}\).

Suppose after \({\varDelta } t\) time units, the robot reaches point \(A \in S_{RR}\) then starts braking at maximum braking power b and collides with an obstacle point \(B \not \in S_{SS}\), meaning B is on the braking trajectory of the robot. In the worst-case scenario, the robot starts braking from its maximum speed \(v_{max}\) and comes to a full stop after traveling a distance \(d_b = v_{max}/2b\). That means all possible braking trajectories are contained inside \(C_{A,d_b}\). Since obstacle point B is a point on the braking trajectory, we have \(B \in C_{A,d_b}\). But \(C_{A,d_b} \subset S_{SS}\), therefore \(B \in S_{SS}\), a contradiction.

1.1.2 Proof of P1.2

By definition, the safety region \(S_{PS}\) for ensuring passive safety for moving obstacles is obtained by expanding \(S_{SS}\) by \(d_o = V({\varDelta } t + t_b)\), where V is the maximum speed of obstacles, and \(t_b\) is the worst-case braking time of the robot. That means \(C_{A,d_o} \subseteq S_{PS} \quad \forall A \in S_{SS}\).

We will prove that the robot can start to brake after \({\varDelta } t\) time units and then come to a full stop without colliding with any obstacles. Let T be the set of all trajectories on which the robot move during the next time step and then brake to a full stop. The definition of \(S_{SS}\) implies it contains T. Suppose there is a collision before the robot can come to a full stop, i.e., there is an obstacle point B outside \(S_{PS}\) that collides with the robot at point C after some time \(t \le {\varDelta } t + t_b\) while the robot is moving on some trajectory in T. Since maximum speed of obstacles is V, the maximum distance that B can travel in t time units is \(Vt \le d_o\). That means \(C \in C_{B,d_o}\), which in turns means \(B \in C_{C,d_o}\). Because \(C \in S_{SS}\), we have \(C_{C,d_o} \subseteq S_{PS}\). Therefore, \(B \in S_{PS}\), a contradiction.

1.1.3 Proof of P1.3

By definition, the safety region \(S_{PFS}\) for ensuring passive friendly safety for moving obstacles is obtained by expanding \(S_{PS}\) by \(d_{bo} = V\tau + V^2/2b_o\), where V is the maximum speed of obstacles, \(\tau \) is the upper bound on the reaction time of the obstacles, and \(b_o\) is the lower bound on the braking power of the obstacles. That means \(C_{A,d_{bo}} \subseteq S_{PFS} \quad \forall A \in S_{PS}\).

Since \(S_{PFS}\) is bigger than \(S_{PS}\), it follows from the passive safety proof that the robot can come to a full stop before a collision can occur. We prove that after the robot comes to a full stop, the obstacle can brake to a full stop without colliding with the robot. Specifically, we show that applying any braking power greater than or equal to \(b_o\) brings the obstacle to a complete stop without colliding with the robot.

Suppose the robot stops at point \(A \in S_{SS}\). For a collision to occur, A must belong to some trajectory of some obstacle point. Suppose there are no obstacle points inside \(S_{PFS}\) and after \(\tau \) time units following the time when the robot stops, an obstacle starts braking but collides with the robot before the obstacle comes to a full stop. Let B denote the location of the obstacle point at the beginning of the current time step and later collides with the robot. From the assumptions, we have \(B \not \in S_{PFS}\). The worst-case time for the robot to move during the next time step time units and then brake to a full stop is \({\varDelta } t + t_b\). During the time \({\varDelta } t + t_b\) and the worst-case reaction time \(\tau \), the obstacle can travel a maximum distance of \(d_o = V({\varDelta } t + t_b + \tau )\). The worst-case braking distance of the obstacle is \(d_{bo} = V^2/2b_o\). That means for A to belong to a trajectory of the obstacle point starting at B, A must be in \(C_{B,d_o + d_{bo}}\). That in turns means \(B \in C_{A,d_o + d_{bo}}\). But the definition of \(S_{PFS}\) implies \(S_{A,d_o + d_{bo}} \in S_{PFS}\), which means \(B \in S_{PFS}\), a contradiction.

1.2 Proof of P2

The derivation of the switching conditions Sect. 4 shows that the switching conditions are designed to imply the constraints \(S_{A_iA_{i'}}^\alpha \cap S_{{ safe}}^{ii'} = \emptyset \) for \(i = 1\ldots N\) where \(i' = (i \bmod N) + 1\). We prove by contradiction that, if these constraints hold, there are no obstacle points inside the safety region \(S_{safe}\). \(S_{safe}\) could be \(S_{SS}, S_{PS}\), or \(S_{PFS}\). The proof relies on the assumptions about obstacles presented in Sect. 4.

The high-level idea of the proof is that since \(S_{A_iA_{i'}}^\alpha \cap S_{{ safe}}^{ii'} = \emptyset \), and \(S_{A_iA_{i'}}^\alpha \) contains all possible vertices whose edges pass through \(A_i\) and \(A_{i'}\), it would be contradictory if an obstacle point is in \(S_{{ safe}}^{ii'}\).

Fig. 13

Illustration of case 1. a Neither \(s_1\) nor \(s_2\) detects the obstacle. b Exactly one of \(s_1\) and \(s_2\) detects the obstacle at distance greater than \(l_{min}\). c Both \(s_1\) and \(s_2\) detect the obstacle at distances greater than \(l_{min}\). \(OB_1\) and \(OB_2\) are the actual distances detected by \(s_1\) and \(s_2\) respectively

Suppose the above constraints are satisfied and there is an obstacle point in \(S_{safe}\), i.e., \(S_{A_iA_{i'}}^\alpha \cap S_{{ safe}}^{ii'} = \emptyset \) for \(i = 1 \ldots N\) where \(i' = (i \bmod N) + 1\), and \(S_{obstacle} \cap S_{{ safe}} \ne \emptyset \). Let \(C \in S_{obstacle} \cap S_{{ safe}}\) be an obstacle point that lies within the safety region. Since the wedges \(S_{{ safe}}^{ii'}\) cover the safety region, C must belong to at least one wedge. Without loss of generality, assume \(C \in S_{obstacle} \cap S_{{ safe}}^{12}\). We consider three cases, based on the distances \(OA_1\) and \(OA_2\): (1) \(OA_1 = OA_2 = l_{min}\); (2) \(OA_1< OA_2 = l_{min} \vee OA_2 < OA_1 = l_{min}\); and (3) \(OA_1, OA_2 < l_{min}\). Case 1 covers three sub-cases: (1a) neither sensors detects the obstacle; (1b) exactly one sensor detects the obstacle at a distance of at least \(l_{min}\); and (1c) both sensors detect the obstacle at distances of at least \(l_{min}\). Case 2 covers two sub-cases: (2a) exactly one sensor detects the obstacle at a distance less than \(l_{min}\); (2b) one sensor detects the obstacle at a distance less than \(l_{min}\), the other at a distance of at least \(l_{min}\). Case 3 covers the only case when both sensors detect the obstacle at distances less than \(l_{min}\). In all cases, the proof relies on the fact that there is at most one vertex of the obstacle within the triangle \(OA_1A_2\) (because \(OA_1, OA_2 \le l_{min}\) and \(\angle A_1OA_2 < \pi /3\)).

1.2.1 Case 1: \(OA_1 = OA_2 = l_{min}\)

As shown in Fig. 13, case 1 comprises three sub-cases. The proof is the same for these sub-cases. For C to be in \(S_{{ safe}}^{12}\), there must be a vertex that fits between the sensors and intersects the safety disk. Let \(E_1\) and \(E_2\) be the intersections between line segment \(A_1A_2\) and the edges of the obstacle. Let D be the vertex of the obstacle. The geometry implies \(\angle A_1CA_2 \ge \angle E_1CE_2 \ge \angle E_1DE_2\). We know from our assumptions that \(\angle E_1DE_2 \ge \alpha \), so \(\angle A_1CA_2 \ge \alpha \). This means \(C \in S_{A_1A_2}^\alpha \), therefore \(C \in S_{A_1A_2}^\alpha \cap S_{{ safe}}^{12}\). This contradicts the assumption that \(S_{A_1A_2}^\alpha \cap S_{{ safe}}^{12} = \emptyset \).

1.2.2 Case 2: \(OA_1< OA_2 = l_{min} \vee OA_2 < OA_1 = l_{min}\)

Fig. 14

Illustration of case 2. a Exactly one of \(s_1\) and \(s_2\) detects the obstacle within distance \(l_{min}\). b One sensor detects the obstacle at distance less than \(l_{min}\), the other detects the obstacle at distance greater than \(l_{min}\). \(OB_2\) is the actual distance detected by \(s_2\)

Fig. 15

Sensors \(s_1\) and \(s_2\) detect the obstacle at distances less than \(l_{min}\). \(A_1\) and \(A_2\) both lie on the same edge. For C to be in \(S_{{ safe}}^{12}, A_1A_2\) must intersect \(S_{{ safe}}^{12}\). That means \(S_{A_1A_2}^\alpha \cap S_{{ safe}}^{12} \ne \emptyset \), a contradiction

Without loss of generality, assume \(OA_1 < OA_2 = l_{min}\). There is a trivial sub-case when \(A_1\) is inside the safety disk. In that case, we can choose C to be \(A_1\) and that leads to \(C \in S_{A_1A_2}^\alpha \), contradicting the assumption \(S_{A_1A_2}^\alpha \cap S_{{ safe}}^{12} = \emptyset \). Consider two sub-cases when \(A_1\) is outside the safety disk as shown in Fig. 14. The proof for both sub-cases is as follows. For C to be in \(S_{{ safe}}^{12}\), there must be a vertex D of the obstacle that intersects the safety disk and has one edge that passes through \(A_1\). Let \(E_2\) be the intersection between line segment \(A_1A_2\) and the obstacle’s other edge incident on D. We have \(\angle A_1CA_2 \ge \angle A_1CE_2 \ge \angle A_1DE_2 \ge \alpha \). Therefore \(C \in S_{A_1A_2}^\alpha \), contradicting the assumption \(S_{A_1A_2}^\alpha \cap S_{{ safe}}^{12} = \emptyset \).

Fig. 16

Sensor \(s_1\) detects the obstacle at \(A_1\), sensor \(s_2\) detects the obstacle at \(A_2\) where \(OA_1, OA_2 \le l_{min}\)

1.2.3 Case 3: \(OA_1< l_{min} \wedge OA_2 < l_{min}\)

Suppose sensors \(s_1\) and \(s_2\) detect the obstacle at \(A_1\) and \(A_2\), respectively. We consider two sub-cases: (3a) \(A_1\) and \(A_2\) lie on the same edge of the obstacle; and (3b) \(A_1\) and \(A_2\) lie on different edges of the obstacle. It is easy to see the contradiction for case (3a), as shown in Fig. 15. Consider case (3b). As shown in Fig. 16, for C to be in \(S_{{ safe}}^{12}\), there must be a vertex D of the obstacle that intersects the safety disk and has one edge that passes through \(A_1\). Let E be the intersection between \(A_1A_2\) and the obstacle’s other edge incident on D. We have \(\angle A_1CA_2 \ge \angle A_1CB \ge \angle A_1DB \ge \alpha \). Therefore \(C \in S_{A_1A_2}^\alpha \), contradicting the assumption that \(S_{A_1A_2}^\alpha \cap S_{{ safe}}^{12} = \emptyset \).